Windows 11 24H2 will enable BitLocker encryption for everyone - happens on both clean installs and reinstalls

[socK]

It's good for a portable device carrying corporate secrets. I don't need bitlocker at home on a desktop.

Are most people hitting their drives with a hammer before tossing their computers? Like really fucking their shit up?

When I worked in IT, we'd even gotten used drives with data still readable on them a few times.

 

[THRESHIN]

This article has more holes than Swiss cheese.

First of all, it starts out with the amazing statement:



WTF are they talking about? 23H2 has been out for quite some time now. I've done countless installs of 23H2 at this point, everything from fresh installs, in-place upgrades, upgrades via Windows Update, etc, on systems that both meet and don't meet the system requirements. Some of them have been "re-installs", or installs on systems that already had 23H2 on them before. Never once has Bitlocker been enabled by default.



It seems like Toms Hardware is just re-posting (and adding a lot of unsubstantiated theory onto) a short German article that has almost no actual details.

For example, one very important missing detail would be, what do they mean exactly when they say 24H2? I say that because, 24H2 has not been officially released yet. Knowing exactly which unreleased version of 24H2 they are talking about would be kind of an important detail for them to mention, don't you think?

In terms of 24H2 versions:

You have the 24H2 version that many have theorized to be the RTM version (although Microsoft has NOT said this or confirmed this), version 26100.2. This was supposedly the early version that was pushed out to OEMs so that they could start getting 24H2 PCs ready for release. It's based on a build that was on both the Canary and Dev insider channels for a while, however both the Canary and Dev insider channels have since moved on from this build. I still have my doubts that this was actually the RTM version, as it never made it to the Beta or Release Preview insider channels, and is still pretty rough around the edges. And again, it was never confirmed by Microsoft to be the RTM version.

You have the latest Canary channel build, which is 26212.5000

You have the latest Dev channel build, which is 26120.461

The latest Beta channel build is 22635.3570 which is still based on 23H2, not 24H2.

The latest Release Preview build (also still 23H2) has not been updated in almost a month and is now older than non-insider builds going out on Windows Update.

I have tested all of these builds on machines that are both Windows 11 complaint and machines that are non-complaint and none of them have Bitlocker enabled by default, either on a fresh install, or after an in-place upgrade. Canary is as far out as things go when it comes to future versions of Windows. I guess bits of information, like what version they were actually testing, don't really matter when it's just a click-bait article on the hunt for ad-revenue.

If there is even one single person here who has had Bitlocker enable itself automatically, under 23H2 or a 24H2 insider build, care to share more context? Because this is something I can't replicate at this point.

This is Tom's assware we're talking about here... shouldn't come as a surprise. They have always been about quantity over quality.

 

[Sycraft]

Are most people hitting their drives with a hammer before tossing their computers? Like really fucking their shit up?

When I worked in IT, we'd even gotten used drives with data still readable on them a few times.

You don't need to do that, a secure erase command (both SATA and nVME support it) will fully blank the disk, beyond any recovery. Ok I mean I suppose intelligence agencies could theoretically have a way to recover data, but the commercial data recovery companies can't. It works excellent.

...BUT you have to run it. That is part of what is driving "on by default" encryption for phones, computers, etc. Yes, people can and should blank their devices before they get rid of them, but they don't. Even companies don't. Our university decided that because of the issues with people not doing it properly, they'd just have surplus pull all drives and destroy them so PII doesn't leak. There's also the issue of dead devices, when something dies people assume that means the data is gone but of course it often doesn't. So even if they would normally think to erase it, they don't with a failed device.

Hence, we are seeing a move to encryption-at-rest for all devices. Security standards are starting to push it too, thinks like NIST 800-171, even in the datacenter. It isn't so much about hardware walking off, though that is a possible concern, but more on making sure data doesn't leak. Like say a drive in an array fails, and you send it back for RMA, just because the drive needs to be replaced doesn't mean the data is gone. You can't destroy it, you want a replacement, and you can't run a secure erase, it's dead. Having the data encrypted solves the problem nicely.

 

[Lakados]

You don't need to do that, a secure erase command (both SATA and nVME support it) will fully blank the disk, beyond any recovery. Ok I mean I suppose intelligence agencies could theoretically have a way to recover data, but the commercial data recovery companies can't. It works excellent.

...BUT you have to run it. That is part of what is driving "on by default" encryption for phones, computers, etc. Yes, people can and should blank their devices before they get rid of them, but they don't. Even companies don't. Our university decided that because of the issues with people not doing it properly, they'd just have surplus pull all drives and destroy them so PII doesn't leak. There's also the issue of dead devices, when something dies people assume that means the data is gone but of course it often doesn't. So even if they would normally think to erase it, they don't with a failed device.

Hence, we are seeing a move to encryption-at-rest for all devices. Security standards are starting to push it too, thinks like NIST 800-171, even in the datacenter. It isn't so much about hardware walking off, though that is a possible concern, but more on making sure data doesn't leak. Like say a drive in an array fails, and you send it back for RMA, just because the drive needs to be replaced doesn't mean the data is gone. You can't destroy it, you want a replacement, and you can't run a secure erase, it's dead. Having the data encrypted solves the problem nicely.

I’ve had to pull more than my fair share of data back from dead drives and with most people choosing to “recycle” and replace their devices rather than repair them I’d bet more than a little personal information gets leaked that way. This will help that a lot.
Performance wise the TPM chips will eat 90% of the impact and most consumer laptops are already lacking in other areas so the remaining performance loss wont be felt because they are too anemic to notice the difference anyways.

 

[pendragon1]

Are most people hitting their drives with a hammer before tossing their computers? Like really fucking their shit up?

When I worked in IT, we'd even gotten used drives with data still readable on them a few times.

for work? no, our e-cycler shreds them. home, ive never tossed a drive....

 

[Sycraft]

I’ve had to pull more than my fair share of data back from dead drives and with most people choosing to “recycle” and replace their devices rather than repair them I’d bet more than a little personal information gets leaked that way. This will help that a lot.
Performance wise the TPM chips will eat 90% of the impact and most consumer laptops are already lacking in other areas so the remaining performance loss wont be felt because they are too anemic to notice the difference anyways.

I do wish that drive-based encryption was easier to make work. I don't know if MS, the drive manufacturers, or both need to change things but it DOES work right now, I've set it up, but it is harder than it should be and most people will end up doing it in software. As you say, not a big deal, with AES-NI CPUs can do it with little load, but on-drive would be even better and most SSDs support that.

 

[Lakados]

I do wish that drive-based encryption was easier to make work. I don't know if MS, the drive manufacturers, or both need to change things but it DOES work right now, I've set it up, but it is harder than it should be and most people will end up doing it in software. As you say, not a big deal, with AES-NI CPUs can do it with little load, but on-drive would be even better and most SSDs support that.

IF, you are connected with Win 11, on a machine with a TPM 2, and you are using a Microsoft account with that system.

Then I can say it works very smoothly, I am using it on my personal device through an outlook.com account, and at the office it’s managed through Intune and O365 and so far both have been pretty smooth sailing. Toss in an authentication app for 2FA and you’re golden.
At home I have not enabled the Bitlocker to Go features, but at work they are mandatory, and enforced.
Bitlocker to Go through is a separate optional function of Bitlocker which at this point is not enabled by default and has to be manually enabled after Bitlocker is enabled.

To date no serious issues have popped up, had a few dodgy Dell BIOS updates delivered through Windows Update, that triggered it forcing the users to enter the recovery key, which is easy to obtain from either Intune or Outlook.com, but it has a timed window, about a minute, to type in the recovery key which for the shittier typers out there is not going to happen on the first few tries. So I just ended up having to go out and type them in for them, because the hunt and peck crowd isn’t getting 48 digits in a minute, they will toss that machine out a window before they get enough practice to finish that off. Fortunately they are all numeric though so if you are good on a number pad you can rattle it off in 20s easy. If you aren’t confident in your ability to get 48 numbers typed in under a minute then I highly suggest you make a USB recovery key.

 

[Sycraft]

Ya I've had no issues with it, at home or at work. At home I have it on my laptop. I didn't bother to get the SED feature working, so it is just software encryption. At work I've got it to work with SED a few times, but as I said, it is more difficult than it should be to get that to work, and not all SSDs will do it. When it works, it works just like "normal" bitlocker except the actual encryption/decryption is done by the drive itself, meaning zero system load. You don't actually notice any difference in functionality, and the only way I know if it worked it looking mange-bde -status. If it is using the drive's encryption, it'll note it.

We do our key escrow at work using Sophos (ugh) and that works fine. Actually, haven't had to use it for any updates, so far all the BIOS updates have properly suspended protectors, updated, then put them back on.

 

[socK]

for work? no, our e-cycler shreds them. home, ive never tossed a drive....

At work we snapped them with a crusher that literally bent them in half with a spike before they got shredded

Encryption was a straight up insurance requirement besides that

Unfortunately, the average person isn't always doing the right thing. So I'm pretty sure that's where this is coming from, for better or worse

 

[pendragon1]

At work we snapped them with a crusher that literally bent them in half with a spike before they got shredded

Encryption was a straight up insurance requirement besides that

Unfortunately, the average person isn't always doing the right thing. So I'm pretty sure that's where this is coming from, for better or worse

for normies, i tell them to take them out to a parking lot and toss them 30-40ft in the air and let em drop.

 

[magnetik]

Are most people hitting their drives with a hammer before tossing their computers? Like really fucking their shit up?

When I worked in IT, we'd even gotten used drives with data still readable on them a few times.

No official reasons for non work related drives.. If they're good, I keep them. If it's some old drive that's clicking, I sometimes pull the boards for spares. Magnets are cool and platters make good, shiny targets for days you feel like offloading some rifle rounds.

 

[socK]

for normies, i tell them to take them out to a parking lot and toss them 30-40ft in the air and let em drop.

My dude I'm surprised some people I worked with could work a toaster or change the batteries in their TV remote

The idea of opening a case and possibly turning a couple screws with was literally a waking nightmare to some of these people

 

[sfsuphysics]

Ok 23h2 just installed for me, so I got one more install cycle to remember to disable it.